Blocking Queries

When necessary, LogScale can be configured to prevent queries from executing. There are many scenarios in which one might consider blocking a query or a pattern that matches many queries. For instance, a query pattern may use a large portion of the system's resources. Or a particular query is known to be used for malicious purposes (e.g., searching for secure secrets). Or it may be that a log line contains information that should never want searched.

Blocks can be added by defining the following conditions:

Based on a regular expression using the standard LogScale regular expression mechanics
Based on an exact matching query, explicitly matching the defined string.
Either against a specific Repository or all repositories.

Figure 17. Query Administration Blocklist

The list of currently blocked queries is shown in the Blocklist page and includes the following information:

Pattern
The string or regular expression of the query that is blocked.
Type
Whether the block is based on an Exact Match or Regular Expression.
Expires
When the block expires.
View/Repo
The view or repository to which the block applies.

Falcon LogScale Self-Hosted 1.132.0-1.137.0 (Preview)

Self-Hosted Overview

Installing LogScale

Self-Hosted Admin.

Organization Essentials

Configuring Security

Authentication & Identity Providers

Users & Permissions

Cluster Management

Configuration Settings

Ingesting Data

LogScale Configuration Parameters

LogScale URLs & Endpoints

Limits & Standards

Data Analysis 1.132.0-1.137.0

Data Analysis Overview

LogScale User Interface

Repositories & Views

Parsing Data

Searching Data

Writing Queries

Query Language Syntax

Query Functions

Dashboards & Widgets

Automation

Template Language

Keyboard Shortcuts

Blocking Queries

Enter search term